Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Box Status
Print

Best Practice - Device Pinning

has_image , Enterprise Settings , Instructions , Concept , Security Compliance , Article , New , Instruction , Secure
Overview

Box’s device pinning feature enables you to establish a policy for the maximum number of devices that can access Box’s service from a phone, tablet (iOS, Android, and Windows Phone) or desktop (Mac and Windows). To enable device pinning, navigate to Admin Console > Enterprise Settings > Security tab.

This feature is available to Business Plus and Enterprise accounts.

Best_Practice_-_Device_Pinning1.png

Beneath the Application Settings, in the Application Usage section, is a list of all connected devices. Connected devices are listed by Username, date of first install, and device type. You can filter for individuals by searching their name or email and filter by device type.
mceclip0.png

 

Determining a Policy for Device Pinning

The policy you decide on for device pinning is an organizational decision that will vary for each deployment of Box. While a good practice might be to limit sync to a single corporate laptop, phones and tablets can be transactional devices that get upgraded and replaced frequently. You may opt to have a more open policy for phones and tablets to reduce IT overhead.

Additionally, even if the policy is unlimited for each device type, device pinning gives you visibility into all connected devices throughout the organization and the ability to easily remove them when necessary. An admin can optionally be notified each time a new device is connected. If the policy is for a limited number of connected devices, admins can optionally exempt specific users from the policy.
Best_Practice_-_Device_Pinning2.png

 

Rolling Out Device Pinning and Sync

To ensure the correct laptop is pinned, a good practice is to disable sync by default for new users. To do this, navigate to Admin Console > Enterprise Settings > User Settings tab. In the New User Defaults section, clear the Enable Box Sync check box.
ReactMigration-MobileDevicePinningDisableBoxSync_209.png

When someone asks to have sync on their corporate device, they can notify the IT team. At that point the person can bring their corporate laptop to the IT team to verify Box Sync is pinned to the correct, corporate device. To do this, navigate to Admin Console > Users & Groups > Managed Users tab, find the person who wants to enable sync, and in the Edit User Access permissions section check Enable Box Sync, and then click Save.

Once the user logs into sync with their device, their device is pinned and they are unable to log into Box Sync from a different device.

 

What If the Device is Lost or Stolen?

If someone reports a lost or stolen device, you can remove the device. To do this, navigate to Admin Console > Enterprise Settings > Security tab.
  1. In the Application Usage section search for the individual by email or username.
  2. Click the All Application Types down arrow, and from the list that displays click the device reported lost.
  3. Next to each lost device, check the box. Be sure to remove all connected devices that match the device that was reported lost -- for example, remove all connected iPads even if only one iPad was reported lost.
Alternatively, you can also remove the device(s) by navigating to Admin Console > Users & Groups > Managed Users. Search for the individual you want, and in the Installed Applications section, check the box next to the lost device.

 

Other Considerations
For more restrictive controls, Box also has the ability to prevent people from saving files onto their devices on iOS, Android, and Windows 8 and Phone. This prevents offline access to the files, as well as the ability to open files into other third party productivity applications in the OneCloud ecosystem.
Box does recommend you require an application passcode lock, which can be enforced after a certain period of inactivity. To do this, navigate to Admin Console > Enterprise Settings > Mobile tab, and in the Passcode Settings section click the Require application passcode lock down-arrow.

If you have not selected a vendor for mobile security management, Box also maintains partnerships with best-of-breed MDM vendors like AirWatch, MobileIron, MaaS360, or Intune. If interested ask your Customer Success Manager or Account Executive for additional information. Features offered include enforced local encryption, remote wipe, disable cut, copy & paste, and app distribution.
tech_writers_swarm_kb

Related articles